[OSGeo-Discuss] Cyber Resilience Act staying informed on updates
Luís Moreira de Sousa
luis.de.sousa at protonmail.ch
Fri Dec 8 00:57:53 PST 2023
Dear Jody,
thank you for the update. The last "trilogue" took place on the 30th of November and OSS was finally considered. A final document is now closed and will proceed through the successive steps towards approval. The CRA will come into two force stepwise as discussed before, but now on different dates: first tier in January of 2026 and fully in January of 2027.
Various rumours have emmanated out of the last "trilogue", sometimes conflicting. In truth the final document is not public, a clear understanding of its implications will not emerge before then. There are claims that Microsoft's concerns regarding distribution via code forges were addressed, but in parallel software stewards such as OSGeo will still be required to some form of compliance.
This situation is certainly frustrating, but there is no point in speculating before the complete Act is made fully public.
Best regards.
--
Luís
On Wednesday, December 6th, 2023 at 4:09 PM, Jody Garnett via Discuss <discuss at lists.osgeo.org> wrote:
> Follow up to November discussion and [blog post](https://www.osgeo.org/foundation-news/eu-cyber-resilience-act/) asking OSGeo community to be informed.
>
> - At the end November Europe lawmakers agreed on something: https://www.consilium.europa.eu/en/press/press-releases/2023/11/30/cyber-resilience-act-council-and-parliament-strike-a-deal-on-security-requirements-for-digital-products/
>
> Free and open source was so far down the priority list that the press release does not even mention it.
>
> - Next there were assurances that free and open-source community concerns were addressed: https://www.europarl.europa.eu/news/en/press-room/20231106IPR09007/cyber-resilience-act-agreement-with-council-to-boost-digital-products-security
>
> The quote did indicate how our concerns were addressed:
>
>> We have ensured support for micro and small enterprises and better involvement of stakeholders, and addressed the concerns of the open-source community, while keeping an ambitious European dimension.
>
> - This week I can find a articles providing clarifications that have been added: https://openforumeurope.org/eu-cyber-resilience-act-takes-a-leap-forward/
>
> Two clarifications:
>
>> the provision of free and open-source software products with digital elements that are not monetised by their manufacturers is not considered a commercial activity
>
>> The mere circumstances under which the product has been developed, or how the development has been financed should therefore not be taken into account when determining the commercial or non-commercial nature of [making free and open-source software available on the market].
>
> —
> Jody
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/discuss/attachments/20231208/e51a30f1/attachment.htm>
More information about the Discuss
mailing list